[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: execute permissions in /tmp

On Mon, Jul 14, 2003 at 01:02:33AM -0400, bda wrote:
> On Sun, Jul 13, 2003 at 11:55:45PM -0400, Matt Zimmerman wrote:
> > If the user can read files in /tmp, they can execute the code in them.  What
> > problem is noexec /tmp supposed to solve?
> In the event that the machine gets popped (depending on the vector of
> attack), it makes it that much more difficult for the intruder to run
> exploits on the machine, as it's possible that they cannot write to any
> directory but /tmp. (This is admittedly unlikely as if they're
> exploiting a service, that service can mostly likely write SOMEWHERE,
> which allows for the execution of code; ignoring the fact that the
> attacker has likely already gained the ability to run arbitrary
> commands.)

I'd like to agree.
noexec almost certainly better than nothing at all!

Say for example, something is exploited via a website attack and
commands are executed via some PHP code - The attacker hasn't got a
shell and can't see what's going on so noexec may fool them in to
thinking the security is /too/ good, their code doesn't work etc. and
they'll leave it.
..as I said, better than nothing.

On a side note:
For those people who have made /tmp part of / (i.e. /tmp isn't a
partition and isn't mounted).. I created a file using dd and /dev/zero
of around 20Mb. Then used mkfs to make it in to a file system and
mounted it as /tmp with noexec and other permissions.

Although I believe there is tmpfs for this?

> It may seem like putting a pebble in front of a tank, but the only
> defense we have is a many-layered security policy.

Security by obscurity isn't it? At least you'd have the little bit of
extra padding there.

 .''`.     David Ramsden <david@hexstream.eu.org>
: :'  :    http://david.hexstream.eu.org/
`. `'`     PGP key ID: 507B379B on wwwkeys.pgp.net
  `-  Debian - when you have better things to do than to fix a system.

Attachment: pgpScQtG8uIv8.pgp
Description: PGP signature

Reply to: